key-signing for pseudonyms

Atom 'Smasher' atom-gpg at
Tue May 18 19:18:16 CEST 2004

Hash: SHA1

On Tue, 18 May 2004, Atom 'Smasher' wrote:

(responding to self)
> of the three checks that a person can do before signing, maybe that
> [verifying the name] is important in *some* settings... maybe email
> address is most important in *some* settings... maybe, in some settings,
> verifying the fingerprint is the best we can hope for...

that last part might not make sense the way most of us think about pgp
keys, so i'll explain my logic.

let's say a key is distributed and its UID reads:
	Mole (Al-Qaida International Enterprises)

all we ~really~ know about the owner of that key is their public key and
its fingerprint.

if such a key is used to sign advance warnings of terrorist attacks, then
we would probably come to "trust" that the owner of that key really is who
they claim to be, even though the ONLY verifiable information we have is
their key fingerprint. (such trust would be dependent on that particular
group taking credit for such attacks)

such a key provides no email address to verify and only a vague pseudonym
as a name, yet it can still earn trust. signing such a key presents a
unique set of problems (social, legal and moral), beyond the intended
scope of this thread, but such a key CAN earn trust that (on a purely
technical level) might justify a signature: they seem to really be who
they claim to be.

moral of the story: a key *can* earn trust even when we have no way of
knowing the identity of the key's owner.


 PGP key -
 762A 3B98 A3C3 96C9 C6B7 582A B88D 52E4 D9F5 7808

	To become vegetarian is to step into the stream
	which leads to nirvana.
		-- Buddha
Version: GnuPG v1.2.4 (FreeBSD)
Comment: What is this gibberish?  -


More information about the Gnupg-users mailing list